Merge branch 'main' into server-onboarding

Author: denisebmsft

.github/workflows/StaleBranch.yml

@@ -0,0 +1,25 @@
+name: (Scheduled) Stale branch removal
+
+permissions:
+  contents: write
+      
+on:
+  schedule:
+    - cron: "0 */12 * * *"
+
+  workflow_dispatch:
+  
+
+jobs:
+
+  stale-branch:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-StaleBranch.yml@workflows-prod
+    with:
+        PayloadJson: ${{ toJSON(github) }}
+        RepoBranchSkipList: '[
+                              "ExampleBranch1",
+                              "ExampleBranch2"
+                             ]'
+        ReportOnly: true
+    secrets:
+        AccessToken: ${{ secrets.GITHUB_TOKEN }}

ATPDocs/manage-security-alerts.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 # Investigate Defender for Identity security alerts in Microsoft Defender XDR
 
 > [!NOTE]
-> Defender for Identity is not designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
+> Defender for Identity isn't designed to serve as an auditing or logging solution that captures every single operation or activity on the servers where the sensor is installed. It only captures the data required for its detection and recommendation mechanisms.
 
 This article explains the basics of how to work with Microsoft Defender for Identity security alerts in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center).
 
@@ -87,7 +87,7 @@ On the right pane, you'll see the **Alert details**. Here you can see more detai
     You can also export the alert to an Excel file. To do this, select **Export.**
 
     > [!NOTE]
-    > In the Excel file, you now have two links available: **View in Microsoft Defender for Identity** and **View in Microsoft Defender XDR**. Each link will bring you to the relevant portal, and provide information about the alert there.
+    > Alert export option is limited to Microsoft Defender for Identity Alerts with the "aa" prefix, for more information refer to [XDR Alert Sources](https://learn.microsoft.com/defender-xdr/investigate-alerts?tabs=settings#alert-sources).
 
 ## Tuning alerts
 

ATPDocs/replace-entra-connect-default-admin.md

@@ -0,0 +1,44 @@
+---
+title:       'Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account'
+description: 'This report lists any Entra Connect AD DS Connector account that is an Enterprise Administrator or Domain Administrator.'
+author:      LiorShapiraa # GitHub alias
+ms.author:   Liorshapira # Microsoft alias
+# ms.prod:   microsoft-defender-for-identity
+ms.topic:    article
+ms.date:     03/16/2025
+---
+
+# Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
+
+This article describes Microsoft Defender for Identity's Microsoft Entra Connect AD DS Connector account default admin security posture assessment report.
+
+> [!NOTE]
+> This security assessment will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.
+
+## Why might using an Enterprise or Domain Admin account for the Microsoft Entra Connect AD DS Connector be a risk?
+
+Smart attackers often target Microsoft Entra Connect in on-premises environments due to the elevated privileges associated with its AD DS Connector account (typically created in Active Directory with the MSOL_ prefix). Using an **Enterprise Admin** or **Domain Admin** account for this purpose significantly increases the attack surface, as these accounts have broad control over the directory.
+
+Starting with [Entra Connect build 1.4.###.#](/entra/identity/hybrid/connect/reference-connect-accounts-permissions), Enterprise Admin and Domain Admin accounts can no longer be used as the AD DS Connector account. This best practice prevents over-privileging the connector account, reducing the risk of domain-wide compromise if the account is targeted by attackers. Organizations must now create or assign a lower-privileged account specifically for directory synchronization, ensuring better adherence to the principle of least privilege and protecting critical admin accounts.
+
+## How do I use this security assessment to improve my hybrid organizational security posture?
+
+1. Review the recommended action at[ https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account.
+
+1. Review the exposed accounts and their group memberships. The list contains members of Domain/Enterprise Admins through direct and recursive membership.
+
+1. Perform one of the following actions:
+
+   - Remove MSOL_ user account user from privileged groups, ensuring it retains the necessary permissions to function as the Entra Connect Connector account.
+   
+   - Change the Entra Connect AD DS Connector account (MSOL_) to a lower-privileged account. 
+   
+> [!NOTE]
+> While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as **Completed**.
+
+## Next steps
+
+- Learn more about [Microsoft Secure score]().
+
+- Learn more about [Defender for Identity Sensor for Microsoft Entra Connect](https://aka.ms/MdiSensorForMicrosoftEntraConnectInstallation)
+

ATPDocs/security-assessment.md

@@ -38,24 +38,30 @@ Defender for Identity security posture assessments have five key categories. Eac
 ## Access Defender for Identity security posture assessments
 
 > [!NOTE]
-You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
-While *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server. For more information, see [Configuring sensors for AD FS and AD CS](deploy/active-directory-federation-services.md).
+> You must have a Defender for Identity license to view Defender for Identity security posture assessments in Microsoft Secure Score.
+> 
+> Additionally, while *certificate template* assessments are available to all customers with AD CS installed in their environment, *certificate authority* assessments are available only to customers who have installed a sensor on an AD CS server.   
+>
+> Hybrid security recommendations will be available only if Microsoft Defender for Identity sensor is installed on servers running Microsoft Entra Connect services.  
+>
+> For more information, see [Configuring sensors for AD FS, AD CS and Entra Connect.](https://aka.ms/DeployMdiSensorOnYourIdentityInfrastructure)
 
 **To access identity security posture assessments**:
 
 1. Open the [Microsoft Secure Score dashboard](https://security.microsoft.com/securescore).
 1. Select the **Recommended actions** tab. You can search for a particular recommended action, or filter the results (for example, by the category **Identity**).
 
     [![Recommended actions.](media/recommended-actions.png)](media/recommended-actions.png#lightbox)
-
+   
 1. For more details, select the assessment.
 
     [![Select the assessment.](media/select-assessment.png)](media/select-assessment.png#lightbox)
-
+   
 [!INCLUDE [secure-score-note](../includes/secure-score-note.md)]
 
 
 ## Next steps
 
 - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/toc.yml

@@ -172,6 +172,8 @@ items:
          displayName: Microsoft Entra Connect
        - name: Remove unnecessary replication permissions for Microsoft Entra Connect connector account
          href: remove-replication-permissions-microsoft-entra-connect.md
+       - name: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
+         href: replace-entra-connect-default-admin.md
      - name: Identity infrastructure
        items:
        - name: Built-in Active Directory Guest account is enabled
@@ -188,26 +190,26 @@ items:
          href: security-assessment-unsecure-domain-configurations.md
      - name: Certificates
        items: 
-        - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
-          href: security-assessment-enforce-encryption-rpc.md
-        - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
-          href: security-assessment-insecure-adcs-certificate-enrollment.md
-        - name: Misconfigured certificate templates owner  (ESC4)
-          href: security-assessment-edit-misconfigured-owner.md
-        - name: Misconfigured Certificate Authority ACL  (ESC7)
-          href: security-assessment-edit-misconfigured-ca-acl.md
-        - name: Misconfigured certificate templates ACL (ESC4)
-          href: security-assessment-edit-misconfigured-acl.md
-        - name: Misconfigured enrollment agent certificate template  (ESC3)
-          href: security-assessment-edit-misconfigured-enrollment-agent.md    
-        - name: Overly permissive certificate template with privileged EKU (ESC2)
-          href: security-assessment-edit-overly-permissive-template.md
-        - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
-          href: prevent-certificate-enrollment-esc15.md
-        - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
-          href: security-assessment-prevent-users-request-certificate.md
-        - name: Vulnerable Certificate Authority setting (ESC6)
-          href: security-assessment-edit-vulnerable-ca-setting.md
+       - name: Enforce encryption for RPC certificate enrollment interface  (ESC8)
+         href: security-assessment-enforce-encryption-rpc.md
+       - name: Insecure ADCS certificate enrollment IIS endpoints (ESC8)
+         href: security-assessment-insecure-adcs-certificate-enrollment.md
+       - name: Misconfigured certificate templates owner  (ESC4)
+         href: security-assessment-edit-misconfigured-owner.md
+       - name: Misconfigured Certificate Authority ACL  (ESC7)
+         href: security-assessment-edit-misconfigured-ca-acl.md
+       - name: Misconfigured certificate templates ACL (ESC4)
+         href: security-assessment-edit-misconfigured-acl.md
+       - name: Misconfigured enrollment agent certificate template  (ESC3)
+         href: security-assessment-edit-misconfigured-enrollment-agent.md    
+       - name: Overly permissive certificate template with privileged EKU (ESC2)
+         href: security-assessment-edit-overly-permissive-template.md
+       - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+         href: prevent-certificate-enrollment-esc15.md
+       - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
+         href: security-assessment-prevent-users-request-certificate.md
+       - name: Vulnerable Certificate Authority setting (ESC6)
+         href: security-assessment-edit-vulnerable-ca-setting.md
      - name: Group policy 
        items: 
         - name: GPO assigns unprivileged identities to local groups with elevated privileges

CloudAppSecurityDocs/accounts.md

@@ -4,12 +4,23 @@ description: This article provides information about reviewing accounts from you
 ms.date: 01/29/2023
 ms.topic: how-to
 ---
-# Accounts
+# Cloud Application Accounts
 
 
 
 Microsoft Defender for Cloud Apps gives you visibility into the accounts from your connected apps. After you connect Defender for Cloud Apps to an app using the App connector, Defender for Cloud Apps reads account information associated with connected apps. The Accounts page enables you to investigate those accounts, permissions, the groups they're members of, their aliases, and the apps they're using. Additionally, when Defender for Cloud Apps detects a new account that wasn't previously seen in one of the connected apps - for example, in activities or file sharing - the account is added to the accounts list of that app. This enables you to have visibility into the activity of external users interacting with your cloud apps.
 
+## Identity Inventory (Preview)
+
+> [!NOTE]
+> The Identities page is in the process of merging into the unified **Identity Inventory (Preview)**. 
+> 
+> The **Identity inventory** provides a centralized view of all identities in your organization, enabling you to monitor and manage them efficiently. At a glance, you can see key details such as Domain, Tags, Type, and other attributes, helping you quickly identify and manage identities that require attention. 
+> 
+> The functionality of the Identities page, as presented below, will be provided in the new Identity Inventory under the "**Cloud application accounts**" tab, offering the same features as it does today. For more details, visit the [Identity Inventory documentation](/defender-for-identity/identity-inventory).
+> 
+## Identities
+
 Admins can search for a specific user's metadata or user's activity. The **Identities** page provides you with comprehensive details about the entities that are pulled from connected cloud applications. It also provides the user's activity history and security alerts related to the user.
 
 The **Identities** page can be [filtered](#identities-filters) to enable you to find specific accounts and to deep dive into different types of accounts, for example, you can filter for all External accounts that haven't been accessed since last year.
@@ -25,15 +36,15 @@ The **Identities** page enables you to easily investigate your accounts, includi
 * You can see which apps are accessed by each account and which apps are deleted for specific accounts
 
     ![accounts screen.](media/accounts-page.png)
-
-## Identities filters
+  
+### Identities filters
 
 Following is a list of the account filters that can be applied. Most filters support multiple values as well as NOT, in order to provide you with a powerful tool for policy creation.  
 
 * **Affiliation**: The affiliation is either **Internal** or **External**. To set which users and accounts are internal, under **Settings** make sure to set the **IP address range** of your internal organization. If the account has admin permissions the icon in the Accounts table appears with the addition of the red tie:
 
     ![accounts admin icon.](media/accounts-admin-icon.png)
-
+  
 * **App**: You can filter for any API connected app being used by accounts in your organization.
 * **Domain**: This enables you to filter for users in specific domains.
 * **Groups**: Enables you to filter for members of user groups in Defender for Cloud Apps - both built-in user groups and imported user groups.
@@ -45,13 +56,13 @@ Following is a list of the account filters that can be applied. Most filters sup
 * **Type**: This enables you to filter to either the user or the account type.
 * **User name**: Enables you to filter specific users.
 
-## Governance actions
+### Governance actions
 
 From the **Users and account** page, you can take governance actions such as suspending an app or going to the account settings page. For a full list of governance actions, see the [governance log](governance-actions.md).
 
 For example, if you identify a user that is compromised, you can apply the **Confirm user compromised** action to set the user risk level to high, causing the relevant policy actions defined in Microsoft Entra ID to be enforced. The action can be applied manually or using relevant [policies that support governance actions](governance-actions.md).
 
-### To manually apply a user or account governance action
+#### To manually apply a user or account governance action
 
 From the **Users and account** page, on the row where the relevant user or account appears, choose the three dots at the end of the row, then select **Confirm user compromised**.
 

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -108,14 +108,14 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
   > Support for Microsoft Defender for Endpoint on Linux for ARM64-based Linux devices is now in preview. For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md). 
    
   > [!NOTE]
-  > The workstation versions of these distributions are unsupported.
-  > Distributions and versions that aren't explicitly listed are unsupported (even if they're derived from the officially supported distributions). 
+  > The workstation versions of these distributions are not supported.
+  > Distributions and versions that aren't explicitly listed are not supported (even if they're derived from the officially supported distributions). 
   > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
   > Currently, Rocky and Alma distributions aren't supported in Microsoft Defender Vulnerability Management.
   > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version agnostic. The minimal requirement for the kernel version to be `3.10.0-327` or later.
   
   > [!CAUTION]
-  > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions isn't supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
+  > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions isn't supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore not supported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
   
 - List of supported filesystems for RTP, Quick, Full, and Custom Scan.